According to the Silicon Valley creed, artificial intelligence will cause the near future to be weird. In what way? This is often left a bit vague. Perhaps the cybersecurity capabilities of Anthropic’s Mythos model count as an early manifestation of the impending weirdness. Once models of this class proliferate, many of the computer systems that protect our data, our finances, or even our critical infrastructure may end up compromised on an unprecedented scale. True, the Mythos-wielding defenders (Project Glasswing) began shoring up defences, but this was quickly disrupted by the U.S.-ordered shutdown of the model.

This raises the key question: when will Mythos-class AIs become available more broadly and without the kind of aggressive safety barriers that Anthropic adopted for Mythos and its sibling Fable?

One way to think about that is by looking at how far behind the leading U.S. AI labs are the other model developers, especially those who release their best work with open weights (some call this “open source“ AI). At the moment, the only serious followers are in China and as it happens, one of the Chinese labs just released a model that provoked a great deal of head-scratching: GLM 5.2.

Before GLM 5.2, the more sophisticated observers of the AI scene discounted the several-months-behind estimates of the gap between U.S. AI frontier and Chinese followers, due to “benchmaxxing.” In other words, because the Chinese models “study for the test” — they’re prepared to do well in synthetic benchmarks, while not performing nearly as well on real tasks (like looking for software vulnerabilities). On that view, even if it may seem from benchmark leaderboards that some recent Chinese models reach the level where U.S. models were, for example, four months ago — this is just an illusion.

GLM 5.2 feels different. It is not easy to quantify exactly how good it is compared to the best models, because benchmarks can be misleading. However, at least for coding tasks, I found this model to be impressive. Not quite the level of my daily drivers — Anthropic’s Opus 4.8 and OpenAI’s GPT 5.5 — but I expect I could achieve most of the tasks I use the American models for with GLM 5.2, with a bit more hand-holding and manual review. As some say, this one has a “big model smell.” I would not be surprised to learn that the Chinese model is four-five months behind Opus 4.8, which was announced at the end of May. (E.g. on the DeepSWE benchmark, GLM 5.2 sits between Sonnet 4.6 from February and Opus 4.7 from April). So, five-six months behind the strongest models publicly released, however briefly, i.e. Mythos/Fable.

What does all this mean for digital, or AI, sovereignty, especially in Europe?

A tempting framing I already see gaining traction in Europe is: the U.S. government’s export ban on Mythos/Fable is a “kill switch” scenario that the EU is so concerned about, while GLM 5.2 shows that any gap behind the U.S. frontier models is small and surmountable even without Anthropic’s or OpenAI’s resources. Hence, the argument goes, those outside of the U.S. and China should move to build their sovereign AI, even at the cost of cutting access to the currently best models. After all, their advantage seems not that significant: what is a few months?

There is truth in there, but also what I see as a very dangerous misconception. The misconception is that a few months doesn’t matter.

One of the most basic ideas in cybersecurity is the asymmetry between offence and defence. The defenders struggle to secure large and complex surfaces of software systems, not to mention the pesky humans who always seem almost intent on doing the insecure-but-convenient thing. The attackers need to find a hole in that large surface, even a small one.

The hope of AI-enabled cybersecurity is that AIs will help us do the very difficult job of securing systems easier, so there will be fewer vulnerabilities to penetrate. But so far it looks like AI will also at the same time superpower the attackers. The offence-preferencing asymmetry remains.

What if the defenders use AI tools that outclass the tools available to the attackers? If the tools available to the defenders really are much better, then the hope of AI cybersecurity may be attainable. This is what Anthropic’s Project Glasswing appears to aim for.

However, there is also unusual urgency to Project Glasswing because the vulnerabilities that Mythos discovers are expected to be discoverable once the trailing models catch up. With GLM 5.2, it really does look like this may happen before the end of the year.

Cybersecurity is an important example of an adversarial domain where even a relatively brief lead may give an enormous advantage. This is also true of various military and intelligence applications, as well as applications e.g. in financial markets.

With AIs getting really good, which is only beginning to happen, not having access to the best will mean losing a lot.

This is why the EU cannot afford to lose access to the real state-of-the-art in AI. But given that such AI is controlled by the U.S., the question is how to secure access?

My answer is: to build reciprocal dependency, but also to reduce dependency (see also my Build AI, Don’t Block Access: The European Union’s Digital-Sovereignty Trap and Europe’s Sovereignty Stack: CADA, Compute, and the Limits of Autarky). This way, the EU can maximise its leverage to secure access to frontier AI, while at the same time building resilience.

Reducing dependency

Use smaller, non-frontier models when efficient

Many private and public sector tasks do not need the most advanced models, and thus “good enough” AI systems are economically important. Many workloads are specialised enough that a smaller model can match or beat a general frontier one anyway — especially on running (inference) costs.

For example, I successfully use the best small-ish large language models (LLMs), like Qwen 3.6 35B or 27B (35 or 27 billion parameters), in a legal and policy “deep research” system I’ve been developing. When I do so, I still use the frontier models for coding and for automated testing of how well the smaller models are performing under what parameters. Another pattern that I employ is to give the best model the role of a “manager” that delegates jobs to smaller models — like GLM 5.2 — and checks the quality of the outputs. Here, I’m still dependent on the best model, but I reduce my overall usage of it (and thus optimise costs).

It is important not to overstate how much work can be efficiently moved to non-frontier models. As my examples show, for “higher intelligence” tasks it would be a waste of my time to use anything other than the frontier models. What’s more, while it is true that techniques like fine-tuning (or even in-context learning) can yield great results with non-frontier models, development of such use patterns is often time-consuming and requires (expensive) expertise. So, relatively high per-token prices of the frontier models may be misleading. Once you factor in the cost of coaxing non-frontier models to the required performance, you will sometimes find it’s not worth it.

That said, a great deal can be moved to non-frontier models for large-scale, repetitive work — and, somewhat paradoxically, it is often the frontier models that make this possible, by generating training data for the smaller ones, orchestrating them, and grading their output. And once the good-enough AIs are deployed in ways fully controlled in Europe, the dependence on the non-European stack is limited. For the “good enough” AI tier, a Europe that can supply itself gives others less leverage over it. That is not everything, and it is not enough — but it is something.

Build compute

When it comes to hardware needed to run AIs, Europe can — at least if we set aside the legal and political obstacles — build large amounts of compute. This compute is needed, first, to run European (and non-European) open weights models at a sufficient scale to realise the economic potential of the technology. As the European Commission itself noted, we currently have a deficit of compute. And, without large investments, this deficit will only grow. The same compute does double duty: it is also the basis for the reciprocal dependence I turn to next.

Building reciprocal dependency

Building compute could give Europe the bargaining power it now lacks. Demand for compute will grow faster than even American supply can meet. Suppose the European Union had a large amount of modern data-centre capacity and was willing to host the compute of U.S. firms. That would create mutual dependence, and a future cutoff would then be too costly for the United States to consider. If U.S. firms ran both European and U.S. compute in European data centres, then cutting off Europe would do more than lose them non-U.S. revenue. It would directly harm U.S. customers — arguably a weightier, more systemic deterrent for the U.S. government contemplating a “kill switch” than the mere loss of U.S. labs’ foreign revenue.

To build that compute and win enough of the market that the United States truly depends on it, Europe needs to move fast. It needs to grant permits, including environmental permits, and to connect projects to the electricity grid quickly. This must be fast enough that building in the European Union is more attractive than waiting to build elsewhere. With those faster rules in place, public subsidies may not be necessary. Without those changes, even large subsidies will not be enough.

EU CADA does not deliver

The Cloud and AI Development Act (CADA), proposed by the Commission as the centrepiece of its Technological Sovereignty Package, is Brussels’ main response to exactly the kind of cutoff that hit Mythos and Fable. It sorts public-sector cloud and AI services into four security tiers it calls “assurance levels.” Two things about this are sensible: the obligations scale with risk, and they apply only to the public sector. The trouble starts at the top tier, where CADA tries to shield European buyers from foreign-government interference — and does so by effectively shutting out providers even when they are American-owned.

In the same week it proposed CADA, the EU moved the opposite way on the rest of the stack: member states agreed to join the U.S.-led “Pax Silica“ chip alliance and to buy American AI chips. So the EU decided to aling itself more tightly to the American technology stack with one hand while, through CADA, trying to wall its most sensitive work off from that same stack with the other.

CADA includes one exception to its ownership restrictions (the exception does not apply at the highest “assurance” level). A provider’s home country can be officially recognised as an “associated third country.” But the conditions for this look designed to exclude the United States. For example, one part of CADA would disqualify any country that keeps rules which “impede the provision of state-of-the-art technologies.” Read literally, that would disqualify a country simply for using export controls. Yet those same export controls are the basis of the Western technology alliance. It would exclude an ally for taking part in the same system that the European Union itself joined through Pax Silica.

This is probably the biggest flaw in CADA: in practice, it gives up access to the best AI exactly where Europe needs it most. That is in defence, intelligence, and other national-security work.

When ownership restrictions bite, CADA allows purchases that would otherwise violate them when “no adequate or reasonable alternative” exists. But the exception has onerous conditions. For example, the buyer may first have to run a public tender that fails to find a supplier. The exception looks designed to be hard to use in practice. This is a strange choice, because the Commission’s own analysis admitted that dependence is “inevitable.”

In a communication that came with the proposal, the Commission said that technological sovereignty “does not mean isolation, protectionism, or tech decoupling,” and promised that the European Union would stay “open to the world.” Similarly, at the recent G7 summit, the Commission’s President Ursula von der Leyen said: “We want our own AI future, not in isolation – that is very important – but together with our trusted partners.” Those declarations do not match the text of the CADA proposal or Commissioner Virkkunen’s public statements.

In CADA, the Commission got one thing right. It saw the need to speed up permits for data centres and related infrastructure. It just was not nearly ambitious enough.

The fast-track CADA offers is narrow: mandatory data-centre “acceleration zones,” a cap meant to hold the project-level permit under twelve months, and “strategic project” status for the largest builds. The trouble is that the twelve-month clock covers leaves untouched the two things that actually hold compute back — environmental review, which is left fully in place, with none of the legal overrides that renewable-energy projects enjoy, and, grid connection, where CADA creates no right to connect and adds no new power. A project can clear its permit in a year and still wait years to energise. The fast-track fixes a part of the paperwork bottleneck. The rest of the build agenda — capital markets, corporate law, taxation — is barely touched.

The lesson of the Mythos/Fable cutoff — and of GLM 5.2 — is not that Europe can shrug off the frontier because the gap is “only” a few months. In an adversarial world those months are decisive. The answer is leverage: use the good-enough models, build the compute others come to depend on.